Commit Graph

251 Commits

Author SHA1 Message Date
Michal Privoznik
a1c68a1fcb security_manager.c: Append seclabel iff generated
With my previous patches, we unconditionally appended a seclabel,
even if it wasn't generated but found in array of defined seclabels.
This resulted in double free later when doing virDomainDefFree
and iterating over the array of defined seclabels.

Moreover, there was another possibility of double free, if the
seclabel was generated in the last iteration of the process of
walking trough security managers array.
2013-03-28 16:13:01 +01:00
Michal Privoznik
e4a28a3281 security: Don't add seclabel of type none if there's already a seclabel
https://bugzilla.redhat.com/show_bug.cgi?id=923946

The <seclabel type='none'/> should be added iff there is no other
seclabel defined within a domain. This bug can be easily reproduced:
1) configure selinux seclabel for a domain
2) disable system's selinux and restart libvirtd
3) observe <seclabel type='none'/> being appended to a domain on its
   startup
2013-03-28 10:01:06 +01:00
Michal Privoznik
6c4de11614 security_manager: Don't manipulate domain XML in virDomainDefGetSecurityLabelDef
The virDomainDefGetSecurityLabelDef was modifying the domain XML.
It tried to find a seclabel corresponding to given sec driver. If the
label wasn't found, the function created one which is wrong. In fact
it's security manager which should modify this part of domain XML.
2013-03-28 10:01:06 +01:00
Olivia Yin
26705e02c1 selinux: deal with dtb file 2013-03-19 15:48:59 -06:00
Daniel P. Berrange
1732c1c629 Fix parsing of SELinux ranges without a category
Normally libvirtd should run with a SELinux label

  system_u:system_r:virtd_t:s0-s0:c0.c1023

If a user manually runs libvirtd though, it is sometimes
possible to get into a situation where it is running

  system_u:system_r:init_t:s0

The SELinux security driver isn't expecting this and can't
parse the security label since it lacks the ':c0.c1023' part
causing it to complain

  internal error Cannot parse sensitivity level in s0

This updates the parser to cope with this, so if no category
is present, libvirtd will hardcode the equivalent of c0.c1023.

Now this won't work if SELinux is in Enforcing mode, but that's
not an issue, because the user can only get into this problem
if in Permissive mode. This means they can now start VMs in
Permissive mode without hitting that parsing error

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-14 12:42:21 +00:00
Daniel P. Berrange
4a92fe4413 Separate MCS range parsing from MCS range checking
Pull the code which parses the current process MCS range
out of virSecuritySELinuxMCSFind and into a new method
virSecuritySELinuxMCSGetProcessRange.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-14 12:42:21 +00:00
Daniel P. Berrange
f2d8190cfb Fix memory leak on OOM in virSecuritySELinuxMCSFind
The body of the loop in virSecuritySELinuxMCSFind would
directly 'return NULL' on OOM, instead of jumping to the
cleanup label. This caused a leak of several local vars.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-14 12:42:21 +00:00
Peter Krempa
27cf98e2d1 virCaps: conf: start splitting out irrelevat data
The virCaps structure gathered a ton of irrelevant data over time that.
The original reason is that it was propagated to the XML parser
functions.

This patch aims to create a new data structure virDomainXMLConf that
will contain immutable data that are used by the XML parser. This will
allow two things we need:

1) Get rid of the stuff from virCaps

2) Allow us to add callbacks to check and add driver specific stuff
after domain XML is parsed.

This first attempt removes pointers to private data allocation functions
to this new structure and update all callers and function that require
them.
2013-03-13 09:27:14 +01:00
Guannan Ren
ce4557c3ab apparmor: use AppArmorSetFDLabel for both imageFD and tapFD
Rename AppArmorSetImageFDLabel to AppArmorSetFDLabel which could
be used as a common function for *ALL* fd relabelling in Linux.

In apparmor profile for specific vm with uuid cdbebdfa-1d6d-65c3-be0f-fd74b978a773
Path: /etc/apparmor.d/libvirt/libvirt-cdbebdfa-1d6d-65c3-be0f-fd74b978a773.files
The last line is for the tapfd relabelling.

 # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
  "/var/log/libvirt/**/rhel6qcow2.log" w,
  "/var/lib/libvirt/**/rhel6qcow2.monitor" rw,
  "/var/run/libvirt/**/rhel6qcow2.pid" rwk,
  "/run/libvirt/**/rhel6qcow2.pid" rwk,
  "/var/run/libvirt/**/*.tunnelmigrate.dest.rhel6qcow2" rw,
  "/run/libvirt/**/*.tunnelmigrate.dest.rhel6qcow2" rw,
  "/var/lib/libvirt/images/rhel6u3qcow2.img" rw,
  "/dev/tap45" rw,
2013-03-08 10:56:07 +08:00
Jim Fehlig
438a3850db Fix starting qemu instances when apparmor driver is enabled
With the apparmor security driver enabled, qemu instances fail
to start

# grep ^security_driver /etc/libvirt/qemu.conf
security_driver = "apparmor"
# virsh start test-kvm
error: Failed to start domain test-kvm
error: internal error security label already defined for VM

The model field of virSecurityLabelDef object is always populated
by virDomainDefGetSecurityLabelDef(), so remove the check for a
NULL model when verifying if a label is already defined for the
instance.

Checking for a NULL model and populating it later in
AppArmorGenSecurityLabel() has been left in the code to be
consistent with virSecuritySELinuxGenSecurityLabel().
2013-02-28 17:35:59 -07:00
John Ferlan
676688b69b security: Remove unnecessary checks for mgr == NULL
Coverity found the DACGenLabel was checking for mgr == NULL after a
possible dereference; however, in order to get into the function the
virSecurityManagerGenLabel would have already dereferenced sec_managers[i]
so the check was unnecessary. Same check is made in SELinuxGenSecurityLabel.
2013-02-16 07:44:35 -05:00
Laine Stump
7bf1aa0b9b security: add new virSecurityManagerSetChildProcessLabel API
The existing virSecurityManagerSetProcessLabel() API is designed so
that it must be called after forking the child process, but before
exec'ing the child. Due to the way the virCommand API works, that
means it needs to be put in a "hook" function that virCommand is told
to call out to at that time.

Setting the child process label is a basic enough need when executing
any process that virCommand should have a method of doing that. But
virCommand must be told what label to set, and only the security
driver knows the answer to that question.

The new virSecurityManagerSet*Child*ProcessLabel() API is the way to
transfer the knowledge about what label to set from the security
driver to the virCommand object. It is given a virCommandPtr, and each
security driver calls the appropriate virCommand* API to tell
virCommand what to do between fork and exec.

1) in the case of the DAC security driver, it calls
virCommandSetUID/GID() to set a uid and gid that must be set for the
child process.

2) for the SELinux security driver, it calls
virCommandSetSELinuxLabel() to save a copy of the char* that will be
sent to setexeccon_raw() *after forking the child process*.

3) for the AppArmor security drivers, it calls
virCommandSetAppArmorProfile() to save a copy of the char* that will
be sent to aa_change_profile() *after forking the child process*.

With this new API in place, we will be able to remove
virSecurityManagerSetProcessLabel() from any virCommand pre-exec
hooks.

(Unfortunately, the LXC driver uses clone() rather than virCommand, so
it can't take advantage of this new security driver API, meaning that
we need to keep around the older virSecurityManagerSetProcessLabel(),
at least for now.)
2013-02-13 16:11:16 -05:00
Daniel P. Berrange
61b52d2e38 Fix potential deadlock across fork() in QEMU driver
The hook scripts used by virCommand must be careful wrt
accessing any mutexes that may have been held by other
threads in the parent process. With the recent refactoring
there are 2 potential flaws lurking, which will become real
deadlock bugs once the global QEMU driver lock is removed.

Remove use of the QEMU driver lock from the hook function
by passing in the 'virQEMUDriverConfigPtr' instance directly.

Add functions to the virSecurityManager to be invoked before
and after fork, to ensure the mutex is held by the current
thread. This allows it to be safely used in the hook script
in the child process.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-02-12 11:05:31 +00:00
Eric Blake
736a87b916 build: fix compilation of selinux on RHEL 5
On RHEL 5, I got:

security/security_selinux.c: In function 'getContext':
security/security_selinux.c:971: warning: unused parameter 'mgr' [-Wunused-parameter]

* src/security/security_selinux.c (getContext): Mark potentially
unused parameter.
2013-02-11 17:12:25 -07:00
Daniel P. Berrange
0ab49601a8 Remove re-entrant API call in SELinux/AppArmor security managers
The security manager drivers are not allowed to call back
out to top level security manager APIs, since that results
in recursive mutex acquisition and thus deadlock. Remove
calls to virSecurityManagerGetModel from SELinux / AppArmor
drivers

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-02-11 16:05:05 +00:00
Daniel P. Berrange
48b49a631a Serialize execution of security manager APIs
Add locking to virSecurityManagerXXX APIs, so that use of the
security drivers is internally serialized. This avoids the need
to rely on the global driver locks to achieve serialization

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-02-11 12:33:44 +00:00
Daniel P. Berrange
11d926659b Turn virSecurityManager into a virObjectLockable
To enable locking to be introduced to the security manager
objects later, turn virSecurityManager into a virObjectLockable
class

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-02-11 12:33:41 +00:00
Daniel P. Berrange
fed92f08db Turn virCapabilities into a virObject
To enable virCapabilities instances to be reference counted,
turn it into a virObject. All cases of virCapabilitiesFree
turn into virObjectUnref

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-02-08 11:34:26 +00:00
Daniel P. Berrange
77c3015f9c Rename all USB device functions to have a standard name prefix
Rename all the usbDeviceXXX and usbXXXDevice APIs to have a
fixed virUSBDevice name prefix
2013-02-05 19:22:25 +00:00
Daniel P. Berrange
202535601c Rename all PCI device functions to have a standard name prefix
Rename all the pciDeviceXXX and pciXXXDevice APIs to have a
fixed virPCIDevice name prefix
2013-02-05 19:22:25 +00:00
Jiri Denemark
3b35369c0f selinux: Properly indent preprocessor directives 2013-01-24 14:10:50 +01:00
Jiri Denemark
d4b7309a9c apparmor: Avoid freeing uninitialized pointer 2013-01-24 14:04:25 +01:00
Richard W.M. Jones
6159710ca1 selinux: Only create the selabel_handle once.
According to Eric Paris this is slightly more efficient because it
only loads the regular expressions in libselinux once.
2013-01-24 12:40:49 +00:00
John Ferlan
a2b36ec5db security: Need to add virCommandFree() 2013-01-24 12:37:30 +01:00
John Ferlan
770b4aa8f0 security: Need to initialize 'sens'
It was possible to call VIR_FREE in cleanup prior to initialization
2013-01-22 17:29:26 +01:00
John Ferlan
05cc035189 selinux: Resolve resource leak using the default disk label
Commit id a994ef2d1 changed the mechanism to store/update the default
security label from using disk->seclabels[0] to allocating one on the
fly. That change allocated the label, but never saved it.  This patch
will save the label. The new virDomainDiskDefAddSecurityLabelDef() is
a copy of the virDomainDefAddSecurityLabelDef().
2013-01-22 14:34:12 +01:00
John Ferlan
7479026b5c security: Use virStrcpy to move the label 2013-01-22 14:34:11 +01:00
Daniel P. Berrange
f24404a324 Rename virterror.c virterror_internal.h to virerror.{c,h} 2012-12-21 11:19:50 +00:00
Daniel P. Berrange
556cf5f617 Rename xml.{c,h} to virxml.{c,h} 2012-12-21 11:19:50 +00:00
Daniel P. Berrange
e861b31275 Rename uuid.{c,h} to viruuid.{c,h} 2012-12-21 11:19:49 +00:00
Daniel P. Berrange
44f6ae27fe Rename util.{c,h} to virutil.{c,h} 2012-12-21 11:19:49 +00:00
Daniel P. Berrange
05dc8398dd Rename storage_file.{c,h} to virstoragefile.{c,h} 2012-12-21 11:19:48 +00:00
Daniel P. Berrange
3ddddd98c3 Rename pci.{c,h} to virpci.{c,h} 2012-12-21 11:17:14 +00:00
Daniel P. Berrange
ab9b7ec2f6 Rename memory.{c,h} to viralloc.{c,h} 2012-12-21 11:17:14 +00:00
Daniel P. Berrange
936d95d347 Rename logging.{c,h} to virlog.{c,h} 2012-12-21 11:17:14 +00:00
Daniel P. Berrange
ebc8db5189 Rename hostusb.{c,h} to virusb.{c,h} 2012-12-21 11:17:13 +00:00
Daniel P. Berrange
0f8454101d Rename conf.{c,h} to virconf.{c,h} 2012-12-21 11:17:13 +00:00
Daniel P. Berrange
04d9510f50 Rename command.{c,h} to vircommand.{c,h} 2012-12-21 11:17:13 +00:00
Daniel P. Berrange
2005f7b552 Rename buf.{c,h} to virbuffer.{c,h}
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-12-21 11:17:12 +00:00
Ján Tomko
3e7890c8ef security: fix #endif comment in security_stack.h 2012-12-20 19:55:54 +01:00
Daniel P. Berrange
dc068e35c0 Fix arch datatype in vahControl in virt-aa-helper.c
When changing to virArch, the virt-aa-helper.c file was not
completely changed. The vahControl struct was left with a
char *arch field, instead of virArch arch field.
2012-12-19 11:45:31 +00:00
Daniel P. Berrange
c25c18f71b Convert capabilities / domain_conf to use virArch
Convert the host capabilities and domain config structs to
use the virArch datatype. Update the parsers and all drivers
to take account of datatype change

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-12-18 16:53:03 +00:00
Jiri Denemark
cdfe739c97 apparmor: Fix build 2012-12-17 21:17:55 +01:00
Daniel P. Berrange
a6cbdd7b81 Add support for SELinux labelling of hostdev storage/misc devices
The SELinux security driver needs to learn to label storage/misc
hostdev devices for LXC

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-12-17 17:50:51 +00:00
Daniel P. Berrange
570ad09ef9 Refactor SELinux security driver hostdev labelling
Prepare to support different types of hostdevs by refactoring
the current SELinux security driver code

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-12-17 17:50:51 +00:00
Daniel P. Berrange
df5928ea56 Allow passing a vroot into security manager hostdev labelling
When LXC labels USB devices during hotplug, it is running in
host context, so it needs to pass in a vroot path to the
container root.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-12-17 17:50:51 +00:00
Daniel P. Berrange
89c5a9d0e8 Skip bulk relabelling of resources in SELinux driver when used with LXC
The virSecurityManager{Set,Restore}AllLabel methods are invoked
at domain startup/shutdown to relabel resources associated with
a domain. This works fine with QEMU, but with LXC they are in
fact both currently no-ops since LXC does not support disks,
hostdevs, or kernel/initrd files. Worse, when LXC gains support
for disks/hostdevs, they will do the wrong thing, since they
run in host context, not container context. Thus this patch
turns then into a formal no-op when used with LXC. The LXC
controller will call out to specific security manager labelling
APIs as required during startup.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-12-17 17:50:51 +00:00
Daniel P. Berrange
77d3a80974 Support custom 'svirt_tcg_t' context for TCG based guests
The current SELinux policy only works for KVM guests, since
TCG requires the 'execmem' privilege. There is a 'virt_use_execmem'
boolean to turn this on globally, but that is unpleasant for users.
This changes libvirt to automatically use a new 'svirt_tcg_t'
context for TCG based guests. This obsoletes the previous
boolean tunable and makes things 'just work(tm)'

Since we can't assume we run with new enough policy, I also
make us log a warning message (once only) if we find the policy
lacks support. In this case we fallback to the normal label and
expect users to set the boolean tunable

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-12-17 11:22:36 +00:00
Ján Tomko
b28fb61fd7 selinux: fix NULL dereference in GetSecurityMountOptions
In the case of an OOM error in virDomainDefGetSecurityLabelDef, secdef
is set to NULL, then dereferenced while printing the debug message.
2012-12-13 15:41:44 -07:00
Serge Hallyn
a4e44e674e add vnc unix sockets to apparmor policy
When using vnc gaphics over a unix socket, virt-aa-helper needs to provide
access for the qemu domain to access the sockfile.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2012-12-11 14:32:39 -07:00